gha: Update workflow for v1.32

Author: sayboras

.github/workflows/build-envoy-image-ci.yaml

@@ -1,7 +1,7 @@
 name: CI Build & Push
 on:
   pull_request_target:
-    types: [opened, synchronize, reopened]
+    types: [ opened, synchronize, reopened ]
 
 permissions:
   # To be able to access the repository with `actions/checkout`
@@ -19,131 +19,131 @@ jobs:
     name: Build and push multi-arch images
     runs-on: ubuntu-latest-64-cores-256gb
     steps:
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
-        with:
-          image: tonistiigi/binfmt:qemu-v7.0.0-28
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
-
-      - name: Cache Docker layers
-        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
-        with:
-          path: /tmp/buildx-cache
-          key: docker-cache-${{ github.head_ref }}
-          restore-keys: docker-cache-main
-
-      - name: Login to quay.io
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_ENVOY_USERNAME_DEV }}
-          password: ${{ secrets.QUAY_ENVOY_PASSWORD_DEV }}
-
-      - name: Checkout PR
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-          persist-credentials: false
-
-      - name: Prep for build
-        run: |
-          echo "${{ github.event.pull_request.head.sha }}" >SOURCE_VERSION
-          echo "ENVOY_MINOR_RELEASE=$(cat ENVOY_VERSION | sed 's/envoy-\([0-9]\+\.[0-9]\+\)\..*/v\1/')" >> $GITHUB_ENV
-          echo "ENVOY_PATCH_RELEASE=$(cat ENVOY_VERSION | sed 's/^envoy-\([0-9]\+\.[0-9]\+\.[0-9]\+$\)/v\1/')" >> $GITHUB_ENV
-          echo "BUILDER_DOCKER_HASH=$(git ls-tree --full-tree HEAD -- ./Dockerfile.builder | awk '{ print $3 }')" >> $GITHUB_ENV
-
-      - name: Checking if cilium-envoy-builder image exists
-        id: cilium-builder-tag-in-repositories
-        shell: bash
-        run: |
-          if docker buildx imagetools inspect quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }} &>/dev/null; then
-            echo exists="true" >> $GITHUB_OUTPUT
-          else
-            echo exists="false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: PR Multi-arch build & push of Builder image (dev)
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
-        if: steps.cilium-builder-tag-in-repositories.outputs.exists == 'false'
-        id: docker_build_builder_ci
-        with:
-          provenance: false
-          context: .
-          file: ./Dockerfile.builder
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }}
-
-      - name: CI Builder Image Digest
-        if: steps.cilium-builder-tag-in-repositories.outputs.exists == 'false'
-        shell: bash
-        run: |
-          echo "Digests:"
-          echo "quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }}@${{ steps.docker_build_builder_ci.outputs.digest }}"
-
-      - name: PR Multi-arch build & push of cilium-envoy
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
-        id: docker_build_ci
-        with:
-          provenance: false
-          context: .
-          file: ./Dockerfile
-          platforms: linux/amd64,linux/arm64
-          build-args: |
-            BUILDER_BASE=quay.io/cilium/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }}
-            ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:main-archive-latest
-            BAZEL_BUILD_OPTS=--remote_upload_local_results=false
-          cache-from: type=local,src=/tmp/buildx-cache
-          cache-to: type=local,dest=/tmp/buildx-cache,mode=max
-          push: true
-          tags: quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }}
-
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
-
-      - name: Sign Container Image
-        run: |
-          cosign sign -y quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${{ steps.docker_build_ci.outputs.digest }}
-
-      - name: Install Bom
-        shell: bash
-        env:
-          # renovate: datasource=github-releases depName=kubernetes-sigs/bom
-          BOM_VERSION: v0.6.0
-        run: |
-          curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom
-          sudo mv ./bom /usr/local/bin/bom
-          sudo chmod +x /usr/local/bin/bom
-
-      - name: Generate SBOM
-        shell: bash
-        # To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed
-        run: |
-          bom generate -o sbom_cilium-envoy_${{ github.event.pull_request.head.sha }}.spdx --format=json --image=quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }}
-
-      - name: Attach SBOM to container images
-        run: |
-          cosign attach sbom --sbom sbom_cilium-envoy_${{ github.event.pull_request.head.sha }}.spdx quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${{ steps.docker_build_ci.outputs.digest }}
-
-      - name: Sign SBOM Image
-        run: |
-          docker_build_ci_digest="${{ steps.docker_build_ci.outputs.digest }}"
-          image_name="quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${docker_build_ci_digest/:/-}.sbom"
-          docker_build_ci_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
-          cosign sign -y "quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${docker_build_ci_sbom_digest}"
-
-      - name: Envoy binary version check
-        shell: bash
-        run: |
-          envoy_version=$(docker run --rm quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }} cilium-envoy --version)
-          expected_version=$(echo ${{ env.ENVOY_PATCH_RELEASE }} | sed 's/^v//')
-          echo ${envoy_version}
-          [[ "${envoy_version}" == *"${{ github.event.pull_request.head.sha }}/$expected_version"* ]]
-
-      - name: CI Image Digest
-        shell: bash
-        run: |
-          echo "Digests:"
-          echo "quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }}@${{ steps.docker_build_ci.outputs.digest }}"
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      with:
+        image: tonistiigi/binfmt:qemu-v7.0.0-28
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+
+    - name: Cache Docker layers
+      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+      with:
+        path: /tmp/buildx-cache
+        key: docker-cache-${{ github.head_ref }}
+        restore-keys: docker-cache-main
+
+    - name: Login to quay.io
+      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      with:
+        registry: quay.io
+        username: ${{ secrets.QUAY_ENVOY_USERNAME_DEV }}
+        password: ${{ secrets.QUAY_ENVOY_PASSWORD_DEV }}
+
+    - name: Checkout PR
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
+        persist-credentials: false
+
+    - name: Prep for build
+      run: |
+        echo "${{ github.event.pull_request.head.sha }}" >SOURCE_VERSION
+        echo "ENVOY_MINOR_RELEASE=$(cat ENVOY_VERSION | sed 's/envoy-\([0-9]\+\.[0-9]\+\)\..*/v\1/')" >> $GITHUB_ENV
+        echo "ENVOY_PATCH_RELEASE=$(cat ENVOY_VERSION | sed 's/^envoy-\([0-9]\+\.[0-9]\+\.[0-9]\+$\)/v\1/')" >> $GITHUB_ENV
+        echo "BUILDER_DOCKER_HASH=$(git ls-tree --full-tree HEAD -- ./Dockerfile.builder | awk '{ print $3 }')" >> $GITHUB_ENV
+
+    - name: Checking if cilium-envoy-builder image exists
+      id: cilium-builder-tag-in-repositories
+      shell: bash
+      run: |
+        if docker buildx imagetools inspect quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }} &>/dev/null; then
+          echo exists="true" >> $GITHUB_OUTPUT
+        else
+          echo exists="false" >> $GITHUB_OUTPUT
+        fi
+
+    - name: PR Multi-arch build & push of Builder image (dev)
+      uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+      if: steps.cilium-builder-tag-in-repositories.outputs.exists == 'false'
+      id: docker_build_builder_ci
+      with:
+        provenance: false
+        context: .
+        file: ./Dockerfile.builder
+        platforms: linux/amd64,linux/arm64
+        push: true
+        tags: quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }}
+
+    - name: CI Builder Image Digest
+      if: steps.cilium-builder-tag-in-repositories.outputs.exists == 'false'
+      shell: bash
+      run: |
+        echo "Digests:"
+        echo "quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }}@${{ steps.docker_build_builder_ci.outputs.digest }}"
+
+    - name: PR Multi-arch build & push of cilium-envoy
+      uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+      id: docker_build_ci
+      with:
+        provenance: false
+        context: .
+        file: ./Dockerfile
+        platforms: linux/amd64,linux/arm64
+        build-args: |
+          BUILDER_BASE=quay.io/cilium/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }}
+          ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:${{ github.base_ref }}-archive-latest
+          BAZEL_BUILD_OPTS=--remote_upload_local_results=false
+        cache-from: type=local,src=/tmp/buildx-cache
+        cache-to: type=local,dest=/tmp/buildx-cache,mode=max
+        push: true
+        tags: quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }}
+
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+
+    - name: Sign Container Image
+      run: |
+        cosign sign -y quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${{ steps.docker_build_ci.outputs.digest }}
+
+    - name: Install Bom
+      shell: bash
+      env:
+        # renovate: datasource=github-releases depName=kubernetes-sigs/bom
+        BOM_VERSION: v0.6.0
+      run: |
+        curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom
+        sudo mv ./bom /usr/local/bin/bom
+        sudo chmod +x /usr/local/bin/bom
+
+    - name: Generate SBOM
+      shell: bash
+      # To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed
+      run: |
+        bom generate -o sbom_cilium-envoy_${{ github.event.pull_request.head.sha }}.spdx --format=json --image=quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }}
+
+    - name: Attach SBOM to container images
+      run: |
+        cosign attach sbom --sbom sbom_cilium-envoy_${{ github.event.pull_request.head.sha }}.spdx quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${{ steps.docker_build_ci.outputs.digest }}
+
+    - name: Sign SBOM Image
+      run: |
+        docker_build_ci_digest="${{ steps.docker_build_ci.outputs.digest }}"
+        image_name="quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${docker_build_ci_digest/:/-}.sbom"
+        docker_build_ci_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
+        cosign sign -y "quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${docker_build_ci_sbom_digest}"
+
+    - name: Envoy binary version check
+      shell: bash
+      run: |
+        envoy_version=$(docker run --rm quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }} cilium-envoy --version)
+        expected_version=$(echo ${{ env.ENVOY_PATCH_RELEASE }} | sed 's/^v//')
+        echo ${envoy_version}
+        [[ "${envoy_version}" == *"${{ github.event.pull_request.head.sha }}/$expected_version"* ]]
+
+    - name: CI Image Digest
+      shell: bash
+      run: |
+        echo "Digests:"
+        echo "quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }}@${{ steps.docker_build_ci.outputs.digest }}"